Skip to content

Commit

Permalink
Allow disable some cert type
Browse files Browse the repository at this point in the history
  • Loading branch information
rekby committed Jul 2, 2020
1 parent d3448bd commit 405aa40
Show file tree
Hide file tree
Showing 10 changed files with 213 additions and 16 deletions.
2 changes: 1 addition & 1 deletion cmd/a_main-packr.go

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions cmd/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ type ConfigGeneral struct {
StoreJSONMetadata bool
IncludeConfigs []string
MaxConfigFilesRead int
AllowRSACert bool
AllowECDSACert bool
}

//go:generate packr
Expand Down
4 changes: 4 additions & 0 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@ func startProgram(config *configType) {
certManager := cert_manager.New(acmeClient, storage, registry)
certManager.CertificateIssueTimeout = time.Duration(config.General.IssueTimeout) * time.Second
certManager.SaveJSONMeta = config.General.StoreJSONMetadata

certManager.AllowECDSACert = config.General.AllowECDSACert
certManager.AllowRSACert = config.General.AllowRSACert

for _, subdomain := range config.General.Subdomains {
subdomain = strings.TrimSpace(subdomain)
subdomain = strings.TrimSuffix(subdomain, ".") + "." // must ends with dot
Expand Down
3 changes: 3 additions & 0 deletions cmd/static/default-config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ IncludeConfigs = []
# For prevent infinite loop and consume all memory if cycle in includes
MaxConfigFilesRead = 10000

AllowRSACert = true
AllowECDSACert = true

[Log]
EnableLogToFile = true
EnableLogToStdErr = true
Expand Down
14 changes: 11 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,28 @@ go 1.13
require (
github.com/BurntSushi/toml v0.3.1
github.com/aws/aws-sdk-go v1.29.19
github.com/gobuffalo/envy v1.9.0 // indirect
github.com/gobuffalo/packr v1.30.1
github.com/gobuffalo/packr/v2 v2.8.0 // indirect
github.com/gojuno/minimock/v3 v3.0.5
github.com/kardianos/minwinsvc v0.0.0-20151122163309-cad6b2b879b0
github.com/karrick/godirwalk v1.15.6 // indirect
github.com/maxatome/go-testdeep v1.1.0
github.com/miekg/dns v1.1.22
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.4.1
github.com/prometheus/client_model v0.2.0
github.com/rekby/zapcontext v0.0.4
github.com/rogpeppe/go-internal v1.6.0 // indirect
github.com/satori/go.uuid v1.2.0
github.com/sirupsen/logrus v1.4.2
github.com/sirupsen/logrus v1.6.0
github.com/spf13/cobra v1.0.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
go.uber.org/zap v1.11.0
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
golang.org/x/net v0.0.0-20200202094626-16171245cfb2
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 // indirect
golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae // indirect
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
gopkg.in/natefinch/lumberjack.v2 v2.0.0
)
117 changes: 117 additions & 0 deletions go.sum

Large diffs are not rendered by default.

20 changes: 20 additions & 0 deletions internal/cert_manager/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ const revokeAuthorizationTimeout = 5 * time.Minute
const cleanupTimeout = time.Minute

var errHaveNoCert = errors.New("have no certificate for domain") // may return for any internal error
var errRSADenied = xerrors.New("RSA certificate denied by config")
var errECDSADenied = xerrors.New("ECDSA certificate denied by config")
var errCertTypeUnknown = xerrors.New("unknown cert type")

type GetContext interface {
GetContext() context.Context
Expand Down Expand Up @@ -98,6 +101,8 @@ type Manager struct {
EnableHTTPValidation bool
EnableTLSValidation bool
SaveJSONMeta bool
AllowECDSACert bool
AllowRSACert bool

certForDomainAuthorize cache.Value

Expand All @@ -121,6 +126,8 @@ func New(client AcmeClient, c cache.Bytes, r prometheus.Registerer) *Manager {
res.Cache = c
res.EnableTLSValidation = true
res.DomainChecker = managerDefaults{}
res.AllowRSACert = true
res.AllowECDSACert = true

res.initMetrics(r)
return &res
Expand Down Expand Up @@ -168,6 +175,19 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (resultCert *tls.Ce

//nolint:funlen,gocognit
func (m *Manager) getCertificate(ctx context.Context, needDomain DomainName, certType KeyType) (resultCert *tls.Certificate, err error) {
switch certType {
case KeyRSA:
if !m.AllowRSACert {
return nil, errRSADenied
}
case KeyECDSA:
if !m.AllowECDSACert {
return nil, errECDSADenied
}
default:
return nil, errCertTypeUnknown
}

certDescription := CertDescriptionFromDomain(needDomain, certType, m.AutoSubdomains)

logger := zc.L(ctx).With(certDescription.ZapField())
Expand Down
16 changes: 16 additions & 0 deletions internal/cert_manager/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,20 @@ func TestManager_CertForDenied(t *testing.T) {
td.CmpError(err)
}

func TestGetCertificateDenyCertificates(t *testing.T) {
td := testdeep.NewT(t)
m := Manager{}

_, err := m.getCertificate(nil, "", KeyRSA)
td.Cmp(err, errRSADenied)

_, err = m.getCertificate(nil, "", KeyECDSA)
td.Cmp(err, errECDSADenied)

_, err = m.getCertificate(nil, "", "")
td.Cmp(err, errCertTypeUnknown)
}

func createManager(t *testing.T) (res testManagerContext, cancel func()) {
ctx, ctxCancel := th.TestContext(t)
mc := minimock.NewController(t)
Expand All @@ -206,6 +220,8 @@ func createManager(t *testing.T) (res testManagerContext, cancel func()) {
DomainChecker: res.domainChecker,
EnableHTTPValidation: true,
EnableTLSValidation: true,
AllowRSACert: true,
AllowECDSACert: true,
certForDomainAuthorize: res.certForDomainAuthorize,
certState: res.certState,
httpTokens: res.httpTokens,
Expand Down
23 changes: 11 additions & 12 deletions internal/tlslistener/context_conn.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@ package tlslistener

import (
"context"
"github.com/rekby/lets-proxy2/internal/log"
"net"

"github.com/rekby/lets-proxy2/internal/log"

"golang.org/x/xerrors"

"github.com/rekby/lets-proxy2/internal/metrics"
Expand Down Expand Up @@ -35,15 +36,13 @@ func (c ContextConnextion) Close() error {
}

func finalizeContextConnection(conn *ContextConnextion) {
go func() {
logger := zc.L(conn.Context)
defer log.HandlePanic(logger)

if conn.connCloseHandler != nil {
conn.connCloseHandler(xerrors.New("Leak connection"))
conn.connCloseHandler = nil
}
logger.Warn("Leaked connection")
_ = conn.Close()
}()
logger := zc.L(conn.Context)
defer log.HandlePanic(logger)

if conn.connCloseHandler != nil {
conn.connCloseHandler(xerrors.New("Leak connection"))
conn.connCloseHandler = nil
}
logger.Warn("Leaked connection")
_ = conn.Close()
}
28 changes: 28 additions & 0 deletions internal/tlslistener/context_conn_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,31 @@ func TestContextConnextion_Close(t *testing.T) {
}}
td.CmpDeeply(c.Close(), testErr)
}

func TestFinalizeContextConnection(t *testing.T) {
var c ContextConnextion
var connMock *ConnMock
td := testdeep.NewT(t)
ctx, flush := th.TestContext(t)
defer flush()

connMock = NewConnMock(td)
defer func() { _ = connMock.Close() }()

connMock.CloseMock.Expect().Return(nil)

closeHandlerCalledWithError := false

c = ContextConnextion{
Conn: connMock,
Context: ctx,
connCloseHandler: func(err error) {
if err != nil {
closeHandlerCalledWithError = true
}
},
}

finalizeContextConnection(&c)
td.True(closeHandlerCalledWithError)
}

0 comments on commit 405aa40

Please sign in to comment.